Solved: How to use map to calculate fields data separately...

amitrinx · ‎03-13-2023

Hi,

I have a combination of consumer limits

e.g, A=1000 b=500 c=500 d=200 rest=100
So basically i want a list of all consumer who reached 80% limit. So i wrote a query for one consumer. how can i accommodate all other consumers with different limits. Should i write separate query for each consumer?

sourcetype="OS"
operation= "ABC"
consumer_src="A"
| search minutesago= 1
| stats count by consumer_src
| where count >= 0.8 * 1000

ITWhisperer · ‎03-13-2023

sourcetype="OS"
operation= "ABC"
| search minutesago= 1
| stats count by consumer_src
| eval limit=case(consumer_src=="A", 1000, consumer_src=="b", 500, consumer_src=="c", 500, consumer_src=="d", 200, 1==1, 100)
| where count >= 0.8 * limit

View solution in original post

ITWhisperer · ‎03-13-2023

sourcetype="OS"
operation= "ABC"
| search minutesago= 1
| stats count by consumer_src
| eval limit=case(consumer_src=="A", 1000, consumer_src=="b", 500, consumer_src=="c", 500, consumer_src=="d", 200, 1==1, 100)
| where count >= 0.8 * limit

How to use map to calculate fields data separately for each entity?

fields

table

Enterprise Security Content Update (ESCU) | New Releases

Index This | What gets bigger the more you remove?

Introducing the 2024 Splunk MVPs!